A widely-used WordPress backup plugin, present in over 200,000 websites, has recently addressed a significant vulnerability that had the potential to trigger a denial of service attack. Rated as High severity by Wordfence, with a CVSS score of 7.5/10, this underscores the importance for users of the plugin to promptly update to the patched version.
Backuply Plugin
The vulnerability impacts the Backuply WordPress backup plugin. Backup creation is a crucial function for all websites, not just those on WordPress, as it enables publishers to revert to previous versions in case of server failure or data loss during a catastrophic event.
Website backups serve various purposes, including site migrations, recovery from hacking incidents, and rectifying failed updates that render a website non-functional.
Backuply stands out as a particularly valuable plugin because it not only backs up data to multiple trusted third-party cloud services but also supports various methods to download local copies. This ensures redundant backups, allowing site recovery from locally stored backups if a cloud backup becomes corrupted.
As per Backuply’s statement:
“Backuply offers both Local Backups and Secure Cloud backups, seamlessly integrating with FTP, FTPS, SFTP, WebDAV, Google Drive, Microsoft OneDrive, Dropbox, and Amazon S3, and providing easy one-click restoration.”
Vulnerability Affecting Backuply
According to the United States Government National Vulnerability Database, Backuply versions up to and including 1.2.5 are vulnerable to a flaw that could result in denial of service attacks.
The warning clarifies:
“The vulnerability arises from direct access to the backuply/restore_ins.php file, enabling unauthenticated attackers to send excessive requests, ultimately exhausting server resources.”
Denial Of Service (DoS) Attack
A denial of service (DoS) attack occurs when a software flaw permits an attacker to inundate a server with rapid requests, depleting its resources and rendering it unable to handle additional requests, including serving webpages to site visitors.
One characteristic of DoS attacks is the potential for attackers to upload scripts, HTML, or other code that can be executed, granting them virtually unrestricted access to perform various actions.
Due to the severity of their impact, vulnerabilities facilitating DoS attacks are deemed critical, and immediate steps should be taken to mitigate them.
Backuply Changelog Documentation
The official Backuply changelog, which meticulously documents every update, indicates that a fix was introduced in version 1.2.6. This prompt action demonstrates Backuply’s transparency and responsible approach, reflecting positively on the developer’s trustworthiness.
As per the Changelog:
“1.2.6 (FEBRUARY 08 2024)
[Security-Fix] Addressed an issue where logs could be filled up in certain scenarios. Reported by Villu Orav (WordFence)”
Recommendations
It’s strongly advised for all Backuply plugin users to promptly update their plugin to mitigate the risk of any potential security breaches.
Refer to the National Vulnerability Database for details on the vulnerability:
CVE-2024-0842
Original news from SearchEngineJournal